CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
Multiple vulnerabilities were addressed in IBM Application Performance Management 8.1.4.0 Core Framework IF27 patch.
CVEID:CVE-2024-21094
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287959 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2024-21085
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2024-21011
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288020 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2023-38264
**DESCRIPTION:**The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-3933
**DESCRIPTION:**Eclipse Openj9 could allow a local authenticated attacker to bypass security restrictions, caused by the failure to restrict access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. By sending a specially crafted request, an attacker could exploit this vulnerability to gain read and write to addresses beyond the end of the array range.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292491 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L)
Affected Product(s) | Version(s) |
---|---|
APM Agents for Monitoring | APM agents using core framework version 8.1.4 to 8.1.4 IF26 patch |
Product| Product
VRMF| Remediation
—|—|—
IBM Cloud Application Performance Management, Base Private
IBM Cloud Application Performance Management, Advanced Private
| 8.1.4|
The vulnerabilities can be remediated by applying the Core Framework interim fix8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0027 to all systems where Cloud APM agents are installed:
<https://www.ibm.com/support/pages/node/7167581>
IBM Cloud Application Performance Management| N/A| After your subscription is upgraded to V8.1.4, the vulnerabilities can be remediated by either
a) downloading the Core Framework interim fix 8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0027 to all systems where Cloud APM agents are installed and applying the fix by following the instructions at this link:
<https://www.ibm.com/support/pages/node/7167581>
b) downloading the Cloud APM agent packages for the operating systems that your agents run on and using the downloaded packages to upgrade existing agents to use the updated Core Framework or to install new agents with the updated Core Framework.
Please refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/download_agents_intro.htm> for details on downloading agent packages from IBM Marketplace
Please refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/install_agent_upgrade.htm>
for details on upgrading existing agents.
Please refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/install_intro.htm>
for details on installing new agents.
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | application_performance_management | 8.1.3 | cpe:2.3:a:ibm:application_performance_management:8.1.3:*:*:*:*:*:*:* |
ibm | application_performance_management | 8.1.4 | cpe:2.3:a:ibm:application_performance_management:8.1.4:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High